Scareware peddlers have developed a new ruse that relies on mimicking browser warning pages.
The malicious code - dubbed Zeven - auto-detects a user's browser before serving up a warning page that poses as the genuine pages generated by IE, Firefox or Chrome. Prospective marks are warned that their systems are riddled with …

So you didn't actually look at the screenshots then?

Because if you did you'd have seen that they initially spoof the browser 'This website has been reported as hosting malicious content' screens. Which are all red. It then redirects you to the download site to get the 'security update'.

Read it again

Its usually the grammar that gives it away

Phrases such as "Warning: Visit this site may harm your computer", instead of "Visiting..." or "...based on your security preference" instead of "...based on your security preferences", usually give it away I find.

Then again your joe average user just clicks away without reading the warnings.. ."I just saw the icon man, and thought it was ok...."

Reverse DNS is usefull here.

I always use reverse DNS, and many other security tools, here but most people wouldn't even know why to use such a tool let alone the right context. Nice job on their part. A bit more polish and I'd bet they could snag even most of the top 1% of professionals.